Health Care

To date, a total of 25 DPAs have imposed 94 fines (+48 in comparison to the 2021 ETR) for data protection violations by hospitals, pharmacies, physicians and medicine suppliers. This means that in the health care sector, more fines have been issued in the past year alone than in the previous reporting periods taken together. The sum of fines now amounts to more than EUR 12.7 million which is an increase of EUR 3.0 million compared to last year. While the number of fines has more than doubled, the absolute amount only increased by less than 25%, indicating that the average amount of fines was lower in 2021 than in recent years.

This could be interpreted to mean that in 2021, the authorities did not only consider major landmark cases but have widened the scope of their supervisory activities and also address less prominent cases.

The predominant field of data protection violations remains the lack of sufficient technical and organisational data protection measures with a total of 38 fines (+17 in comparison to the 2021 ETR) and a total volume of fines of EUR 9.6 million. The fines issued in this area were however comparatively low and only added EUR 0.7 million in comparison to the 2021 ETR.

Regarding the countries from which the fines originated, Italy takes the lead with 21 of the 48 new fines in the health care sector having been issued there. Runners-up are Sweden with 7 new fines and Denmark, Romania and Spain with three each.

But let's take a closer look

  • As in recent years, the main reason for the fines was that technical and organisational measures were insufficient or (partly) missing.
  • One major case again originated in Sweden and concerned Sweden's central telephone hotline offering advice on health-related topics. Recordings of the phone calls were available on a web server with no password protection or other security measures due to a misconfiguration. The main provider responsible for setting up and organising the telephone service was fined EUR 1.2 million (ETid-718); the provider who hosted the data was fined EUR 64,500 (ETid-719). In addition to the providers, three of the Swedish public regions were also fined for not properly informing the data subjects about the processing and in particular the collection of call data (ETid-715, ETid-716, ETid-717).
  • Another significant fine was issued against a psychotherapy centre which suffered from a data leak after an attack on its patient database. The most likely cause for the success of the attack was an unprotected port on the database where the root user account of the database was not password protected. Furthermore, the patient database server was open to the internet without firewall protection. Due to insufficient logging, neither the exact date of the breach nor the network addresses used by the attacker could be identified. In addition, the authorities found that the data breach notification had been carried out too late. The fine for the incident was EUR 608,000 in total, about half of which was attributed to the insufficient protection of the data, whereas the other half of the fine was equally attributed to the delayed involvement of the authorities and the similarly occurring delayed information to the data subjects (ETid-952).
  • Some of the fines revolved around data processing in connection with the COVID-19 pandemic where data protection considerations seem to have been omitted under the impression of urgency. For example, in Denmark, a test centre chose WhatsApp to exchange confidential health data between the employees of the test centre. Furthermore, the exchange was organised using one centralized WhatsApp-group which contained all employees. Use of WhatsApp and ignoring the need-to-know-principle resulted in a fine of EUR 80,700 (ETid-757). In Hungary, a public authority collected results of many COVID-19 rapid tests together with contact data of doctors and patients in a single, unencrypted Excel-file. This resulted in a fine of EUR 27,700 (ETid-666). In Italy, the health administration used a system to manage COVID-19 screening data which used continuous numbers (instead of random IDs) for identification of data subjects, thereby making it possible for unauthorised persons to access other persons' data by simply incrementing/decrementing the ID-number assigned to them. This resulted in a fine of EUR 14,000 (ETid-1068).
  • Further cases involved a Swedish university hospital in Uppsala which was fined for sending unencrypted e-mails with health data to third-party countries and storing health data in "Outlook online". This resulted in a fine of EUR 152,000 (ETid-1014). Likewise, in a new case from Norway, use of unencrypted storage and lack of access restrictions at a Norwegian hospital resulted in a data breach and was subject to a fine of EUR 75,600 (ETid-859). Similar cases form previous years remain noteworthy and also concern insufficient access management systems of hospitals that allowed excessive access by unauthorised persons. Fines ranged from EUR 30,000 in Italy (ETid-212) (in a case where only two individual doctors had access to health data of their colleagues) to EUR 400,000 in Portugal (ETid-45) and EUR 460,000 in the Netherlands (ETid-63) where the entire patient database was insufficiently protected.

Main takeaway

The key causes of fines in the health care sector continue to originate from technical and organisational data protection deficiencies and in particular inappropriate setup (or lack of) access restrictions and access management systems. This remained a common issue across many healthcare institutions and without a particular regional focus. However, it is noteworthy that in the past year, the authorities in Sweden and Italy have been particularly active in the field of health care.

In addition to technical and organisational measures for prevention of data breaches, it is advisable to also implement measures helping to identify the start, duration and scope of a potential attack in order to be able to adequately inform the authorities and affected data subjects. Lack of such measures for managing breaches that have occurred became subject to a fine in the past year.

The COVID-19 pandemic showed that the existing digital data processing structures were not yet ready to meet newly arising needs. New systems had to be set up rather quickly which led to the use of readily available, but inappropriate tools and lack of further organisational measures.